In a cyber-attack, hackers use the stolen login credentials of users and try to break into other accounts by logging into other services.
A simple example of credential stuffing is when there is a breach in a department store, and the attacker gets to obtain a list of usernames and passwords. These hackers then use the same usernames and passwords to log into a bank website. The attacker does this hoping that some customers from the hacked list may be using the same username and password for their bank account.
This cybercrime of credential stuffing is now widespread owing to the demand for breached credentials on the dark web. Many breached credentials are traded and sold in the black market, which is dangerous to individual safety. However, it is a widespread technique and an opportunity for attackers to make money. Hackers have been using advanced techniques like bots to get past the conventional login protections to breach data.
Why is credential effective for attackers?
While the volume of data garnered through credential stuffing is pretty high, their strike rate is low. As per statistics, the success of such attacks is low and estimated to be about 0.1%. It means for 1000 accounts a hacker tries to attack, they succeed only once. Because the volume of data is high, credential stuffing is considered worth it even if the success rate is low.
There are billions of login credentials. Even if an attacker can crack a million data in then, the probability is to have 1000 successful accounts cracked. Even if small numbers of data get cracked successfully, the amount of money a hacker makes can be pretty substantial. Sensitive data like credit card numbers or bank accounts are obtained in phishing attacks, and it is worthwhile for attackers to make money.
This set of data is used in innumerable services for breaking into different accounts.
Credential stuffing is possible using bot technology, thus making it easier and viable for attackers to use this channel of cyber-attack. Web application logins have security features. Hence, these applications can delay logins or even ban the IP addresses of those users whose login attempts have failed repeatedly.
The modern software uses bots that circumvent the protections by attempting several logins that appear to come from various devices and originate from different IP addresses. The goal of these malicious bots is to make the login attempts appear indistinguishable and look like typical login traffic, which is highly effective.
The only indication that a victim has been attacked is the rise in the overall number of login attempts. It is difficult for the victim to stop these attempts without affecting the legitimate user's login attempts to the service.
One crucial mistake people make is reusing their passwords. The credential stuffing takes advantage of this. Studies have shown that most users estimated to be as high as 85%, reuse passwords for different services. So, if one has an email account, a social media account, and a bank account, and if a user has the same password for all their services, it puts them at significant risk. If the attacker, by chance, gets the username and password after the credentials stuffing attack from phishing an email account, there are high chances that the bank account can be compromised later. As long as this practice continues, attackers will be successful in credential stuffing. As a rule, users must ensure having unique passwords for different services.
Difference between Brute Force attacks and Credential Stuffing
Credential stuffing is a subsidiary of Brute Force attacks, though it is different strictly speaking. A brute force attack is without any planning and not subtle. It attacks and attempts to break in by guessing passwords with no clues or contexts and uses characters randomly, sometimes combing with common password suggestions. Credential stuffing uses exposed data and reduces the number of iterations required to guess the correct passwords.
How to protect against Brute Force Attacks?
An excellent way to defend oneself is to use strong passwords consisting of several characters, numbers, special numbers, and a combination of capital and small letters. While this is good for brute force attacks, it has no relevance for credential stuffing.
No matter how robust a password is, if it has been reused in different services, the credential stuffing will expose it.
How to protect and prevent credential stuffing?
It is easy for a user to prevent credential stuffing. It can use different passwords for different services, thus reducing the risk.
A Passwords Manager can assist in this activity. If the passwords are unique, the credential stuffing will not work in different accounts.
As an enhanced measure of security, users should always opt for Two-factor authentication wherever it is available. Banking Transactions always use Two Factor Authentication in the form of OTP on one’s mobile device.
How can organizations prevent credential stuffing?
Strangely, a company becomes a victim of credential stuffing even though its security is not compromised. It occurs when there is a data breach in other companies, and the attacker uses other companies' credentials with banks. If the passwords match, the attack is complete even though the bank's security or the credentials are okay. Stopping this type of attack is complex, especially for companies that run authentication services.
Companies can suggest using unique passwords to their employees but cannot enforce the rule. Also, employees could be reusing a password they have already used in some other services. It can be problematic as employees may not know whether that service has been breached or not.
Additional login security features like two-factor authentications or filling out the captcha (Completely Automated Public Turing test to tell Computers and Humans Apart). It will protect against malicious bots. These two features cause inconvenience to users; it is worth reducing security threats.
The most effective protection against credential stuffing is to have a bot management service. Bot management uses rate-limiting in combination with an IP reputation database that helps to prevent malicious bots from making login attempts without obstructing legitimate logins.
Bot Management service providers collect data from an average of 25 million requests per second routed through its network. Here it can identify and stop credential stuffing bots with high accuracy.